Configure MS ADFS 3.0 as Brokered Identity Provider in Keycloak¶

Configure the Keycloak Server for SSL/TLS Transport¶

Set the Keycloak HTTPS port to 443.
In order to enable outgoing HTTPS connections, export the ADFS certificate into a Java truststore:
- In the ADFS management console, go to Service/Certificates node and export the service communications certificate.
- Import the certificate into a Java truststore (JKS format) using the Java keytool utility.
- Setup the truststore in Keycloak as described in Keycloak Server Installation.

Configure the Identity Provider in Keycloak¶

Configure Basic Properties of a Brokered Identity Provider¶

Open the Keycloak web interface.
Log on as administrator.
Click Identity Providers and add a new SAML v.2.0 provider.

Hint - memorize alias

Do not forget the provider alias you entered, you will need it later!
Scroll to the bottom of the page.
In Import from URL, enter the ADFS descriptor URL:
- https://<ADFSdomainname>/FederationMetadata/2007-06/FederationMetadata.xml
Click Import and check the settings.
- The following settings are to be enabled:
  - Backchannel Logout
  - HTTP-POST Binding Response
  - HTTP-POST Binding for AuthnRequest
  - Validate Signature
If the authentication requests sent to the ADFS instance are expected to be signed, enable the Want AuthnRequests Signed option. Set the SAML Signature Key Name field that shows after enabling the Want AuthnRequests Signed option to CERT_SUBJECT because ADFS expects the signing key name hint to be the subject of the signing certificate.
If the ADFS is set up to respond with name ID in Windows Domain Qualified Name format, set the NameID Policy Format field accordingly.

Configure Mappers¶

ADFS sends email information in SAML assertion. To transform these and other details from SAML document issued by ADFS to Keycloak user store, set up mappers in the Mappers tab of the identity provider:

For email the mapper is of type Attribute Importer. Map the user attribute email to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
For username the mapper is of type Username Template Importer. Map the user attribute username to ${ATTRIBUTE.http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname}.
For surname the mapper is of type Attribute Importer. Map the user attribute lastName to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname.
For given name the mapper is of type Attribute Importer. Map the user attribute firstName to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname.

Obtain Information for the ADFS Configuration¶

Specify the SAML service provider descriptor URI that is used in ADFS setup from the Redirect URI field in the identity provider by adding /descriptor to the URI in this field. The URI is similar to
- https://<Keycloak domain name>/auth/realms/master/broker/<identity provider alias>/endpoint/descriptor.
  
  Hint - URI check
  
  Check the naming of the URI by entering the URI into the browser. As a result, you should receive a SAML service provider XML descriptor.

Configure Relying Party Trust in ADFS¶

Configure Relying Party¶

In the ADFS management console, click Trust relationships/Relying Party Trusts.
Select Add Relying Party Trust.
A wizard opens.
Enter the SAML descriptor URL obtained in the previous step into the Federation metadata address field.
Import the ADFS settings.
Proceed with the wizard, and adjust the settings where appropriate.

Hint - further settings

Use only the default settings. You have to edit the claim rules. Leave the checkbox of the last page of the wizard on.

Configure Claim Mapping¶

Now, the SAML protocol would proceed correctly, ADFS would be able to correctly authenticate the users according to requests from Keycloak but the requested name ID format is not yet recognized and SAML response would not contain any additional information like e-mail. It is hence necessary to map claims from AD user details into the SAML document. We will set up two rules: one for mapping the user ID and a second one for mapping the standard user attributes. All start by clicking the Add Rule button in the Edit Claim Rules dialog.

Rule for Mapping `user ID`¶

Open the Edit Claim Rules dialog.
In the Add Transform Claim Rule dialog, select Transform an incoming claim.
Map the following attributes:
- Name ID as rule name
- Windows account name for property Incoming claim type
- Name ID for property Outgoing claim type
- Windows qualified Domain Name for property Outgoing name ID format
Click Finishto add the rule.

Rule for Mapping the Attributes of the Standard User¶

Open the Edit Claim Rules dialog.
In the Add Transform Claim Rule dialog, select Send LDAP attributes as Claims rule.
Map the following attributes:
- E-Mail-Addresses to E-Mail Address
- SAM-Account-Name to Subject Name
- Your LDAP attributes for surname and given name
Add other attributes if needed.

Troubleshooting¶

Check the Communication between Keycloak and ADFS¶

Check if SAML messages are sent back and forth between Keycloak and ADFS in your a web browser and capture the communication messages. From the captured communication, you see error status codes and the actual attribute names and values in SAML assertion necessary for setting up mappers.

Hint - SAML decoders

The SAML decoders are available as browser extensions (e. g. SAML Tracer for Firefox, SAML Chrome Panel for Google Chrome).

Example - unrecognized name ID format

Unless the name ID format is recognized, ADFS returns a SAML response containing the urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy status code.

Check the Log Files¶

The ADFS log files are available in the event viewer:
- Applications and Services Logs/ADFS/Admin
For Keycloak, enable tracing of the SAML processing by connecting to the running Keycloak instance:
- jboss-cli.sh

Enter the following commands:

 /subsystem=logging/logger=org.keycloak.saml:add(level=DEBUG)
 /subsystem=logging/logger=org.keycloak.broker.saml:add(level=DEBUG)

SAML messages and broker-related SAML processing messages are displayed in the Keycloak server log.

Literature - SEAL Print Client knowledge base

For further information and known problems, refer to SEAL Print Client Knowledge Base.